Aliases: BackDoor.Generic7.BIO, Backdoor.Win32.Bifrose.afz, BDS/Bifrose.afz, Trojan-Downloader.Win32.Small.eqp
Variants: W32/Bifrose.NMX, W32/Malware!ab6b, Win32.Whitebait.A@mm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: High
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 45/146
Damage: Medium

Characteristics: The W32.Whitebait@mm program is a worm detection that self-replicates recursively. The worm spreads to other systems, which will then propagate W32.Whitebait@mm further. This mass mailing worm is claimed to drop a remote access trojan and sends itself to e-mail addresses found on the local system. Currently, this worm is not capable of sending itself to others because the hard coded mail server utilized has turned off.

More details about W32.Whitebait@mm

W32.Whitebait@mm has 2 parts: the host program and the worm component. This two parts are UPX compressed Delphi programs. The host program could be spread via IRC channels. It is a program that shows malicious images. Once it is run, it duplicates itself as MSsecu.exe in the Windows and displays the images. It would then drop the worm component as WinSystem.exe to run the worm every time the windows starts. The worm is claimed to search all .html, .htm,. .asp, php, and Readme.txt files on your system for e-mail addresses to use for duplication. The recovered e-mail addresses are saved in your windows. W32.Whitebait@mm replicates using its own SMTP engine and sending e-mail to the addresses that it formerly recovered. The e-mail message contains a WARNING : Black_Piranha as its subject and a MSsecu.exe attachment.

The W32.Whitebait@mm program is disguised as a clean file. Users are often tricked into thinking it is a system tool or an entertaining presentation. It may be received in an e-mail or instant message from an unknown person. It may be an attached file or embedded link to an infected server. It is possibly downloaded from websites, forums, or peer-to-peer (P2P) file sharing programs. Drive-by-downloads and downloader applications can also cause the infection.